The new General Data Protection Regulation ("GDPR") will come into force throughout the European Union on May 25, 2018. The GDPR will replace existing data protection laws and introduce significant changes and requirements that will have a wide-ranging impact worldwide on the way organizations handle and use data.
The GDPR is a real game changer for e-commerce businesses and online stores. Those companies, by their nature, receive and process a vast amount of personal data. This Legal Update highlights the main issues that companies engaged in e-commerce should take into account when implementing policies and procedures in compliance with the GDPR.
1. The territorial scope
The GDPR will apply to any processing of personal data in the context of the activities of an organization established in the European Union. For organizations established outside of the European Union, the GDPR will apply when the organization processes personal data in connection with (a) the offering of goods or services to an individual in the European Union and/or (b) the monitoring of the behavior of an individual in the European Union. As a consequence, companies that offer products and services to individuals in the European Union via their websites or other online platforms will now have to comply with EU data protection rules.
When assessing whether a company is offering goods and services to EU individuals, the mere accessibility of the company's website from the European Union will not be sufficient to trigger the application of the GDPR. In order to fall under the scope of the new regulation, it must be apparent that the company envisages offering services to individuals located in the European Union, for instance by mentioning EU currency, by referencing EU customers or by presenting ordering information in an EU language (when this is not the language generally used in the country where the company is based). The Article 29 Working Party, the EU body made up of representative of national data protection authorities, is expected to provide guidance on territorial assessment in the following months.
2. Legal basis for processing
Companies will need to identify a legal ground for their processing activities. In this regard, the main change introduced by the GDPR relates to consent. Higher standards will apply in that regard, and valid consent will be harder to obtain. Indeed, it requires a clear affirmative action by the data subject—silence, pre-ticked boxes, inactivity, failure to opt-out or other such mechanisms will not be enough to qualify as valid consent.
E-commerce businesses should keep in mind that the GDPR allows for processing of personal data on other legal grounds, including if the processing is necessary for the performance of a contract with the data subject. This legal basis applies to data required to process an online payment or deliver the purchased product. In such cases, there is no need to get consent.
Companies seeking to rely on such alternative grounds should conduct a necessity test to determine if only the information necessary for the purposes of the contract is being collected. When requiring other personal data (e.g., personal data for use beyond the primary purpose of processing a payment, filling an order, delivering the purchased good, etc.), the company will need to identify another legal basis (e.g., consent or legitimate interest). This is especially relevant when customer data are used for marketing or advertising purposes.
3. Retention periods
Under the GDPR, personal data should not be retained longer than necessary. As a consequence, companies should delete personal data when the purpose of the processing has been achieved. Typically, personal data collected when a good is purchased are likely to be deleted at the end of the contract. In some cases, however, companies want to keep all or some of the data. In those circumstances, companies should find other grounds for keeping the data—for example, the need to retain to deal with legal requirements that might apply under national law.
4. Privacy notices
Under the principle of transparency, the GDPR requires companies to inform data subjects on how their personal data are being processed. Specific information must be provided, such as the purpose and the legal basis for processing, whether personal data are shared with third parties, if the company conducts profiling activities, etc. E-commerce businesses will have to provide data privacy notices at the time personal data are obtained. For this purpose, a link to the terms and conditions and to the privacy notice of the company should be displayed when the customer purchases goods online, and privacy notices may need to be updated to comply with the GDPR.
5. Data subjects’ rights
The GDPR strengthens data subjects' rights. It introduces new rights such as the right to be forgotten, the right to data portability and the right to restrict the processing. Companies should also allow their customers to exercise these rights. And to comply with their obligations, online stores and e-commerce businesses should ensure that customers are in control of their personal data, being able to access and modify the data. To facilitate meeting these requirements, companies should provide information on whom customers can contact regarding their data privacy concerns.
6. Contracts with third parties and international transfers
Companies involved in e-commerce activities often outsource components of these activities, such as payments, marketing or IT. Under the GDPR, whenever a data controller (the e-commerce company) uses a processor (a third party who processes personal data on behalf of the controller), the controller needs to have a written contract in place that includes certain specific terms such as data processed and duration, obligations such as data breach reporting and audit assistance, use of technical measures, etc. Outsourcing agreements should be reviewed and, where necessary, renegotiated to ensure that companies are appropriately supervising the manner in which they process personal data and that the specific required provisions are included. When service providers are located outside the EEA (European Economic Area), legal mechanisms for carrying out personal data transfers should also be identified.
The new GDPR requirements will impact e-commerce businesses, as they handle a large amount of personal data in their daily activities. In around 100 days, the GDPR will enter into force. This is the last call to kick off your GDPR compliance project.